viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: add retry middleware and per-service rate limit for ha-sofia

Browse source 
The global rate limit (10 req/s, 50 burst) was too aggressive for HA
dashboards that load 30+ JS files on page load, causing 429s. VPN tunnel
blips between London K8s and Sofia caused 502s with no retry fallback.

- Add traefik-retry middleware to reverse-proxy factory (all services)
- Add skip_global_rate_limit variable to both reverse-proxy factories
- Create ha-sofia-rate-limit middleware (100 avg, 200 burst)
- Apply to ha-sofia and music-assistant (both route to Sofia)
This commit is contained in:
Viktor Barzin 2026-04-05 20:47:58 +03:00
parent ccc956ab9c
commit 56583c3825
3 changed files with 56 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

7
stacks/platform/modules/reverse_proxy/factory/main.tf
View file

@ -41,6 +41,10 @@ variable "extra_middlewares" {
type = list(string)
default = []
}
variable "skip_global_rate_limit" {
type = bool
default = false
}
resource "kubernetes_service" "proxied-service" {
@ -71,7 +75,8 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
namespace = var.namespace
annotations = merge({
"traefik.ingress.kubernetes.io/router.middlewares" = join(",", compact(concat([
"traefik-rate-limit@kubernetescrd",
"traefik-retry@kubernetescrd",
var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
"traefik-crowdsec@kubernetescrd",
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,